fix: Get the RBAC stuff working again

.devcontainer/Dockerfile

@@ -5,7 +5,7 @@ FROM golang:1.26.0-bookworm AS ci
 # Avoid warnings by switching to noninteractive
 ENV DEBIAN_FRONTEND=noninteractive
 
-# Install essential packages (no Docker)
+# Install essential packages + Docker CLI (for DooD via socket mount in CI)
 RUN apt-get update \
     && apt-get -y install --no-install-recommends \
     git \
@@ -18,6 +18,14 @@ RUN apt-get update \
     acl \
     rsync \
     gettext-base \
+    gnupg \
+    && install -m 0755 -d /etc/apt/keyrings \
+    && curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc \
+    && chmod a+r /etc/apt/keyrings/docker.asc \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" \
+       > /etc/apt/sources.list.d/docker.list \
+    && apt-get update \
+    && apt-get -y install --no-install-recommends docker-ce-cli \
     && apt-get autoremove -y \
     && apt-get clean -y \
     && rm -rf /var/lib/apt/lists/*
@@ -27,7 +35,8 @@ ENV KUBECTL_VERSION=v1.35.0 \
     KUSTOMIZE_VERSION=5.8.1 \
     KUBEBUILDER_VERSION=4.11.1 \
     GOLANGCI_LINT_VERSION=v2.10.1 \
-    HELM_VERSION=v4.0.0
+    HELM_VERSION=v4.0.0 \
+    KIND_VERSION=v0.31.0
 
 # Install kubectl
 RUN curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" \
@@ -53,6 +62,10 @@ RUN curl -fsSL https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz \
 RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh \
     | sh -s -- -b /usr/local/bin ${GOLANGCI_LINT_VERSION}
 
+# Install Kind (needed in CI for e2e cluster creation, and in dev for local clusters)
+RUN curl -Lo /usr/local/bin/kind "https://github.com/kubernetes-sigs/kind/releases/download/${KIND_VERSION}/kind-linux-amd64" \
+    && chmod +x /usr/local/bin/kind
+
 # Set working directory
 WORKDIR /workspaces
 
@@ -101,11 +114,23 @@ USER root
 # Switch to noninteractive for package installation
 ENV DEBIAN_FRONTEND=noninteractive
 
-# Install Kind (for local Kubernetes clusters)
-# Docker is provided by devcontainer.json docker-in-docker feature
-ENV KIND_VERSION=v0.31.0
-RUN curl -Lo /usr/local/bin/kind https://github.com/kubernetes-sigs/kind/releases/download/${KIND_VERSION}/kind-linux-amd64
-RUN chmod +x /usr/local/bin/kind
+# Kind is already installed in the ci stage above.
+
+# Install Tilt CLI (local dev loop orchestration; dev stage only)
+# https://github.com/tilt-dev/tilt/releases
+ENV TILT_VERSION=v0.36.3
+RUN arch="$(dpkg --print-architecture)" && \
+    case "${arch}" in \
+        amd64) tilt_arch="x86_64" ;; \
+        arm64) tilt_arch="arm64" ;; \
+        *) echo "unsupported architecture for Tilt: ${arch}" && exit 1 ;; \
+    esac && \
+    tilt_version_no_v="${TILT_VERSION#v}" && \
+    curl -fsSL -o /tmp/tilt.tar.gz \
+      "https://github.com/tilt-dev/tilt/releases/download/${TILT_VERSION}/tilt.${tilt_version_no_v}.linux.${tilt_arch}.tar.gz" && \
+    tar -xzf /tmp/tilt.tar.gz -C /tmp tilt && \
+    install -m 0755 /tmp/tilt /usr/local/bin/tilt && \
+    rm -f /tmp/tilt /tmp/tilt.tar.gz
 
 # Install Delve debugger for Go debugging in VSCode
 # ACLs from CI stage should be preserved, so no need to re-apply

.devcontainer/devcontainer.json

@@ -22,7 +22,8 @@
   ],
   "forwardPorts": [
     13000,
-    19090
+    19090,
+    10350
   ],
   "portsAttributes": {
     "13000": {
@@ -32,6 +33,10 @@
     "19090": {
       "label": "Prometheus",
       "onAutoForward": "notify"
+    },
+    "10350": {
+      "label": "tilt",
+      "onAutoForward": "notify"
     }
   },
   "customizations": {

.github/workflows/ci.yml

@@ -77,6 +77,8 @@ jobs:
             helm version
             golangci-lint version
             controller-gen --version
+            kind version
+            docker --version
             echo '✅ All CI container tools verified'
           "
 
@@ -122,7 +124,7 @@ jobs:
             helm version
             golangci-lint version
             kind version
-            docker --version || echo 'Docker CLI not available (expected in container)'
+            docker --version
             echo '✅ All dev container tools verified'
           "
 
@@ -252,36 +254,12 @@ jobs:
     needs: [build-ci-container, docker-build]
     env:
       PROJECT_IMAGE: ${{ needs.docker-build.outputs.image }}
-      KIND_CLUSTER: gitops-reverser-test-e2e
       CI_CONTAINER: ${{ needs.build-ci-container.outputs.image }}
-      
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
 
-      - name: Generate Kind cluster config from template
-        env:
-          HOST_PROJECT_PATH: ${{ github.workspace }}
-        run: |
-          echo "🔧 Generating cluster config with HOST_PROJECT_PATH=${HOST_PROJECT_PATH}"
-          envsubst < test/e2e/kind/cluster-template.yaml > test/e2e/kind/cluster.yaml
-          echo "✅ Generated configuration:"
-          cat test/e2e/kind/cluster.yaml
-
-      - name: Set up Kind cluster with audit webhook support
-        uses: helm/kind-action@v1.13.0
-        with:
-          cluster_name: ${{ env.KIND_CLUSTER }}
-          version: v0.31.0
-          config: test/e2e/kind/cluster.yaml
-          wait: 5m
-
-      - name: Verify cluster and audit setup
-        run: |
-          kubectl cluster-info
-          kubectl get nodes
-          echo "✅ Kind cluster is ready"
-
       - name: Login to Docker registry
         run: |
           echo "${{ secrets.GITHUB_TOKEN }}" | docker login ${{ env.REGISTRY }} -u ${{ github.actor }} --password-stdin
@@ -291,10 +269,10 @@ jobs:
           docker run --rm \
             --network host \
             -v "${GITHUB_WORKSPACE}:${{ env.CI_WORKDIR }}" \
-            -v "$HOME/.kube:/root/.kube" \
+            -v /var/run/docker.sock:/var/run/docker.sock \
             -w "${{ env.CI_WORKDIR }}" \
             -e PROJECT_IMAGE=${{ env.PROJECT_IMAGE }} \
-            -e KIND_CLUSTER=${{ env.KIND_CLUSTER }} \
+            -e HOST_PROJECT_PATH=${{ github.workspace }} \
             ${{ env.CI_CONTAINER }} \
             bash -c "
               git config --global --add safe.directory ${{ env.CI_WORKDIR }}
@@ -310,7 +288,6 @@ jobs:
         scenario: [helm, manifest]
     env:
       PROJECT_IMAGE: ${{ needs.docker-build.outputs.image }}
-      KIND_CLUSTER: gitops-reverser-test-e2e-smoke-${{ matrix.scenario }}
       CI_CONTAINER: ${{ needs.build-ci-container.outputs.image }}
 
     steps:
@@ -323,29 +300,6 @@ jobs:
           name: release-bundle
           path: .
 
-      - name: Generate Kind cluster config from template
-        env:
-          HOST_PROJECT_PATH: ${{ github.workspace }}
-        run: |
-          echo "🔧 Generating cluster config with HOST_PROJECT_PATH=${HOST_PROJECT_PATH}"
-          envsubst < test/e2e/kind/cluster-template.yaml > test/e2e/kind/cluster.yaml
-          echo "✅ Generated configuration:"
-          cat test/e2e/kind/cluster.yaml
-
-      - name: Set up Kind cluster with audit webhook support
-        uses: helm/kind-action@v1.13.0
-        with:
-          cluster_name: ${{ env.KIND_CLUSTER }}
-          version: v0.31.0
-          config: test/e2e/kind/cluster.yaml
-          wait: 5m
-
-      - name: Verify cluster setup
-        run: |
-          kubectl cluster-info
-          kubectl get nodes
-          echo "✅ Kind cluster is ready"
-
       - name: Login to Docker registry
         run: |
           echo "${{ secrets.GITHUB_TOKEN }}" | docker login ${{ env.REGISTRY }} -u ${{ github.actor }} --password-stdin
@@ -356,11 +310,11 @@ jobs:
           docker run --rm \
             --network host \
             -v "${GITHUB_WORKSPACE}:${{ env.CI_WORKDIR }}" \
-            -v "$HOME/.kube:/root/.kube" \
+            -v /var/run/docker.sock:/var/run/docker.sock \
             -w "${{ env.CI_WORKDIR }}" \
             -e PROJECT_IMAGE=${{ env.PROJECT_IMAGE }} \
-            -e KIND_CLUSTER=${{ env.KIND_CLUSTER }} \
             -e HELM_CHART_SOURCE="./gitops-reverser.tgz" \
+            -e HOST_PROJECT_PATH=${{ github.workspace }} \
             ${{ env.CI_CONTAINER }} \
             bash -c "
               git config --global --add safe.directory ${{ env.CI_WORKDIR }}

.gitignore

@@ -39,3 +39,4 @@ dist/install.yaml
 
 *.o.yaml
 *.ignore.*
+.stamps/*

AGENTS.md

@@ -17,6 +17,13 @@ make test      # Must pass all unit tests with >90% coverage
 make test-e2e  # Must pass end-to-end tests
 ```
 
+And before you are really really wrapping up, also run:
+
+```bash
+make test-e2e-quickstart-manifest
+make test-e2e-quickstart-helm
+```
+
 ## PRE-IMPLEMENTATION BEHAVIOR
 
 1. **Check Docker availability for e2e tests**: Before running `make test-e2e`, verify Docker is running with `docker info` or ask user to start Docker daemon if needed